What is the threat?
A long-term, focused theft of call detail records from hacked cell network providers has been uncovered by a group of cybersecurity researchers. Threat actors stole massive amounts of call detail records including – but not limited to – times, dates of calls, and their cell-based locations on at least 20 targeted individuals; though it is possible additional users’ information was also stolen in the process. The hack is described as a “massive-scale” espionage campaign that targeted surveillance on individuals of interest.
Why is this noteworthy?
The threat actors have broken into multiple cell networks around the world over the past seven years to obtain a large amount of call detail records (CDR’s). The threat actors could track the physical location of any customer of the hacked telecommunication companies – including spies and politicians – using these call records. The original exploit was against a vulnerability on an internet connected web server to gain a foothold onto the providers internal network. From there, the attackers exploited vulnerabilities internal machines and may have used other techniques; all in order to steal credentials to gain a backdoor into the organizations’ data systems. These threat actors used tools and techniques commonly associated with state sponsored group known as APT10 – though a direct connection to this Chinese state-sponsored group has yet to be confirmed.
What is the exposure or risk?
Once the hackers eventually gained access to a domain controller and the ability to use or create administrative accounts at any of the given cell network providers, they essentially had control of the entire network – allowing them to exfiltrate hundreds of gigabytes of data, primarily a vast number of call detail records. The threat actors successfully compromised personally identifiable information, billing data, call detail records, credentials, email servers and data, and geo location records of multiple users. When one type of attack was detected and stopped, the threat actors would return later with new tools and techniques. CDR data is the same type of information used by legitimate law enforcement groups to track the movements and contacts of suspects and missing persons; which makes it especially sensitive since it can reveal so much information on a person and their activities.
What can you do?
The researchers have noted that North America does not appear to have been a target yet but cautions that the situation remains “fluid” and ongoing. Since the attackers have shown their ability to modify and morph attacks, the true extent of what data was stolen and who is impacted is not yet known. Businesses should add an additional security layer for web servers such as a WAF (Web Application FW) to prevent common attacks on Internet-facing web servers. This type of preventative security would have limited or even prevented many of the attacks used in this campaign. Expose as few systems or ports to the Internet as possible and ensure that systems and ports which must be exposed are kept monitored at all times. Make sure that all web servers and web services that are exposed are patched and utilize advanced EDR (Endpoint, detection and Response) such as Cylance.
Users should receive proper training in identification and avoidance of phishing, vishing (voice/phone-based phishing) and other fraud techniques. As the data stolen can make it much easier for a threat actor to masquerade as a legitimate company or person, special care should be taken to confirm the identity of anyone calling or emailing into the organization before confidential or personal data is shared.
For more in-depth information about these incidents, please visit the following links:
If you have any questions, please contact our Security Operations Center.